Win32:PrettyPark
is the trojan or worm which has been discovered in May 1999 in France. There are currently several "modifications" of it which are functionally the same but are either unpacked or packed by different compression programs.Trojan installs itself on Windows 9x/NT systems. It comes to the system via email from users who have also run it. Emails with this trojan have the following format:
------------- Subject: C:\CoolProgs\Pretty Park.exe
Test: Pretty Park.exe :) -------------
The file attached is called "Pretty park.exe" or "Pretty~1.exe".
This worm tries to email itself automatically every 30 minutes to all email addresses listed in the Windows address book associated with Outlook Express.
Worm also tries to connect to an IRC server and join a specific IRC channel. While connected, this worm tries to stay connected by sending information to the IRC server, and will also retrieve any commands from the IRC channel. While on the determined IRC server, the author of this worm could use the connection as a remote access trojan in order to get information such as the computer name, registered owner, registered organization, system root path, and Dial Up Networking username and passwords.
When executed on given computer, worm will copy itself to FILES32.VXD in WINDOWS\SYSTEM folder. It then modifies the registry key value "command" in the location:
HKLM\Software\CLASSES\exe\file\shell\open
from ["%1" %*] to [FILES32.VXD "%1" %*]. This change will cause the FILES32.VXD to be run during the execution of any exe file.
Removal:
The worm removal is a little bit difficult due all the system changes
caused by it. The registry change is necessary - please use the program
named REGEDIT under Windows 9x or use REGEDT32 under Windows NT.
a) Find all files containing the trojan using the scanner program but do not remove them now. If the files are missing, you will not be able to run REGEDIT!
b) Open an MS-DOS prompt via the menu or click on START|RUN and type COMMAND.
c) Type START COMMAND and press [Enter] then start REGEDIT or REGEDT32
d) Change the following registry keys referencing to the trojan
HKEY_CLASSES_ROOT\exe\file\shell\open\command
HKLM\exe\file\CLASSES\exe\file\shell\open\command
HKLM\Software\CLASSES\exe\file\shell\open\command
Note: they should contain only the value without brackets ["%1" %*].
e) Try to find and remove any keys that run the main trojan under
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
f) Try to find and remove the following registry key (if it exists)
HKEY_CLASSES_ROOT.dl
and exit Registry Editor
g) Look into the WIN.INI file and delete the reference to the trojan from the run= line in the [windows] section.
h) Look into the SYSTEM.INI file and delete the reference to the trojan from the shell= line in the [boot] section. It should just contain the file EXPLORER.EXE.
i) After all these changes are done, you should restart the system.
j) Now delete the trojan files. If you get any error message saying that Windows is unable to delete the file because it is in use, then you have made an error in the above procedure. Repeat steps a) to i) and try again.
Important note:
If the trojan files were deleted before making the registry changes,
it is still possible to repair the registry. You will need access to another
computer, or at a minimum, access to MS-DOS on the affected system. Using
text editor, create a file called PRETTY.REG with the following lines in
it:
REGEDIT4
[HKEY_CLASSES_ROOT\exe\file\shell\open\command]
@=""%1" %*"
[HKEY_LOCAL_MACHINE\exe\file\CLASSES\exe\file\shell\open\command]
@=""%1" %*"
[HKEY_LOCAL_MACHINE\Software\CLASSES\exe\file\shell\open\command]
@=""%1" %*"
Save this file to the Windows folder of the affected system as the file "PRETTY.REG". You can also download such file here.
Click on START|RUN and type in PRETTY.REG and press [Enter]. Then recheck
the system according to the steps above.
